If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Yeah, the Welchia triggers are going off but it isn't *exactly* the same because the nachia triggers are also going off. We saw this write up and are all too familiar with W32.Welchia. What we are seeing is a tad different.

Thanks for the heads up though Pure. Oh, and PM me when you get a chance. I have to ask you something.

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

My logs have been overburdened by a bunch of attacks on port 135 since august. So I'm completely unable to notice an increase of such attacks in my area.
I can only affirm that my router's ISP are infected by every new worm which appears. They are so efficient for this task that they could be turned in worm traps by an AV company.

Originally posted here by KissCool My logs have been overburdened by a bunch of attacks on port 135 since august. So I'm completely unable to notice an increase of such attacks in my area.
I can only affirm that my router's ISP are infected by every new worm which appears. They are so efficient for this task that they could be turned in worm traps by an AV company.

Please excuse the syntax, might not work exactly as planned, but the idea is to read the log file, filter only the logs from your internal ip on the firewall/gateway machine and to filter again to only logs on that particular port. This should help you narrow down to just the logs your interested in.

FWIW, my logs show some increase in port 135 activity, but they are being flooded with port 554 which IIRC is a RealNetworks server.... So I guess there's a new exploit out against that too because I haven't noticed concerted scanning for that port in the past.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

filter only the logs from your internal ip on the firewall/gateway machine and to filter again to only logs on that particular port. This should help you narrow down to just the logs your interested in.

It could work in other circumstances, but I am obliged to monitor external traffic because I have blocked everything which is going to port 135 in order to, precisely, protect my internal network, which one is not targeted in order to act as an honeypot.